Security

• Least privilege, separation of duties, and audited access to sensitive systems.
• Secure defaults for APIs, CSRF protection, and strong session management.
• Continuous monitoring, patching, and dependency management.

• TLS for data in transit; modern cipher suites and HSTS where supported.
• Industry-standard hashing for credentials; encryption at rest for sensitive fields and backups.
• Key management and secret rotation practices for infrastructure and integrations.

We support strong passwords and device management. Visit Account → Devices to review signed-in devices and revoke sessions. MFA may be required for sensitive actions in some areas.

• CSRF protection for web forms and JSON APIs; content security best practices.
• Rate limiting, idempotency keys, and abuse detection for API write paths.
• Webhook signing with X-Roovet-Signature and X-Roovet-Timestamp.
• Secure file handling for uploads and public link controls in Flow/Drive.

• Code review, dependency scanning, and continuous integration checks.
• Periodic application testing and configuration hardening.
• Change management with rollback strategies and audit trails.

The Wallet is a stored-value feature. Payment data is handled with trusted providers; we do not store full card numbers. Anti-fraud protections, dispute handling, and secure payout flows help reduce risk.

We require opt-in where applicable, support opt-out keywords, and log consent. Calls/SMS use verified routes when possible. Abuse, spam, and unlawful messaging are prohibited and monitored.

• Monitoring, alerting, backups, and tested recovery procedures.
• Capacity planning and DDoS-aware edge protections.
• Public status updates on Status.

If you discover a vulnerability, please report it responsibly with sufficient detail to reproduce. Avoid accessing other users’ data, exfiltrating information, or disrupting services. We’ll acknowledge valid reports and work to remediate promptly.

For urgent security matters, use the contact methods listed on our site and include “Security” in the subject. In the event of a notifiable incident, we will provide notices consistent with legal requirements.